arla and PAM

[Brandon S. Allbery KF8NH]

In message <19990126020800.4914.rocketmail at send204.yahoomail.com>, Jim Nance 
wr
ites:
+-----
| When I login using the login program that comes with
| Red Hat 5.2 I have no tokens.  I have to run aklog
| to get them.  I think it should be possible write a
| PAM module that would get tokens when I logged in
| (this appeals to me much more than replacing the login
| program).  I found what I thought was such a module in
| the krb-kth source.  After I looked at it some more
| it appeared to authenticate users via kerberos but it
| did not seem to get AFS tokens.  Does anyone know of
+--->8

The PAM module (and SIA module as well) with KTH appears to be broken.  :-(  
I gave up on them several months ago.  (A real problem, as I need the SIA 
module badly.)

In CMU ECE we're currently using pam_linux_afs, which you can find via links 
from the Linux PAM page on www.kernel.org.  This is something of a kludge 
because it execs klog and unlog as appropriate (necessary because it was 
written in Germany, where AFS libraries are not available due to U.S export 
restrictions).  ---Note that Red Hat 5.2's /bin/login has a bug that breaks 
pam_linux_afs severely:  it closes the PAM session before exec'ing the login 
shell.  You can work around this by adding the no_unlog flag to the PAM 
session entry, or I have a patched util-linux package which fixes the bug.  
(I've also reported it to Red Hat and they've fixed it internally; they 
didn't provide an updated RPM, though.)

-- 
brandon s. allbery	[os/2][linux][solaris][japh]	 allbery at kf8nh.apk.net
system administrator	     [WAY too many hats]	   allbery at ece.cmu.edu
carnegie mellon / electrical and computer engineering			 KF8NH
     We are Linux. Resistance is an indication that you missed the point.